From 26/11 to NATGRID: How India’s ‘intelligence failure’ debate morphed into a mass surveillance architecture

The November 2008 Mumbai terror attacks — etched into public memory as “26/11” — left more than 160 people dead and an enduring question in India’s security discourse: was this a preventable “intelligence failure”? Seventeen years later, that question has resurfaced in a different form, as the National Intelligence Grid (NATGRID) expands quietly but decisively, raising fundamental concerns about surveillance, privacy, and democratic oversight.

The memory of 26/11 and the origins of the ‘intelligence failure’ charge

Television images of gunfire, explosions and the smoke-shrouded dome of the Taj Hotel unfolded over three days in November 2008, transforming the Mumbai attacks into a national trauma experienced in real time. Alongside the bravery of the Mumbai Police and security forces, a persistent refrain emerged in studios and commentaries — that the attacks represented a “major intelligence failure”.

This was not merely emotional shorthand. A high-level inquiry committee report and disclosures to Parliament pointed to gaps in the handling and synthesis of intelligence alerts. The problem, critics argued, was not the absence of information, but the inability to connect scattered fragments into a coherent warning.

One figure came to symbolise this gap: David Coleman Headley, a key conspirator who travelled repeatedly to India, leaving behind digital and bureaucratic trails — visa forms, hotel records, travel itineraries. Security hawks posed a compelling counterfactual: if these data points had been aggregated and analysed in time, could lives have been saved?

The birth of NATGRID as a technological remedy

Out of this psychological aftershock emerged an ambitious institutional response — the National Intelligence Grid, or “National Intelligence Grid”. First publicly announced in December 2009, NATGRID was conceived as a middleware platform that would allow specified intelligence and investigative agencies to query a wide range of databases through a single interface.

The design was sweeping. Eleven central agencies were to gain access to data across 21 categories, routed through provider organisations covering identity and assets, travel and movement, financial intelligence, and telecommunications. In effect, NATGRID promised to become the state’s grand integrator — the tool that would finally “stitch together” intelligence fragments.

Yet unease surfaced almost immediately. As this newspaper reported in February 2010, Ministers themselves raised concerns about safeguards and demanded further study, invoking fears of a “Big Brother” state. The core constitutional question was not whether surveillance could ever be justified, but whether a project of such magnitude could operate without a clear statutory framework or independent oversight.

Cleared by executive order, stalled for years

Despite these concerns, NATGRID was cleared in June 2012 — not through an Act of Parliament, but via an executive decision of the Cabinet Committee on Security. The first phase, branded “Horizon–I”, was allocated ₹1,002.97 crore.

What followed was a decade of delays, cost escalations and missed deadlines. For many observers, NATGRID began to resemble “vaporware”: a project that existed largely on paper, invoked to reassure public anger after 26/11 but never quite operationalised as the massive citizen-tracking engine its critics feared.

That perception no longer holds.

A quiet but decisive expansion in 2025

Two recent reports have revealed both quantitative and qualitative shifts in NATGRID’s functioning. Following a national conference of Directors General of Police in Raipur in November 2025, chaired by the Prime Minister, States were asked to scale up their use of the platform. NATGRID, officials disclosed, now processes roughly 45,000 requests every month.

More strikingly, access is no longer confined to central intelligence and investigative agencies. Police units — including officers down to the rank of Superintendent of Police — are being brought into the system. What was once pitched as a narrowly tailored counter-terror tool is steadily becoming embedded in routine policing.

The unsettling integration with the National Population Register

Even more consequential is the reported integration of NATGRID with the “National Population Register” (NPR). The NPR contains demographic and relational details of approximately 1.19 billion residents, mapping households, kinship links and identities. It has also been politically volatile, repeatedly linked in public discourse to the National Register of Citizens (NRC) and anxieties about citizenship verification.

Grafting a population register onto an intelligence-query platform crosses a critical boundary. The logic shifts from tracking discrete, suspect-linked events to enabling the mapping of entire populations. In effect, the architecture moves from intelligence-led policing towards population-level surveillance.

From ‘search bar’ to inference machine

NATGRID’s evolution is unfolding not in the technological world of 2008, but in 2025 — amid rapid advances in machine learning and large-scale analytics. Reports have highlighted the deployment of “Gandiva”, an analytical engine capable of “entity resolution”, or determining whether fragmented records belong to the same individual.

Combined with facial recognition tools that can trawl telecom KYC databases and driving licence records, NATGRID is no longer merely a search interface. It is an inference engine — one that generates probabilistic judgments about individuals’ identities and, potentially, intentions.

This transformation alters the nature of the risk in two important ways.

Bias, scale, and the illusion of objectivity

First is the problem of bias. Algorithms do not discover truth in a vacuum; they reproduce the distortions embedded in the data they ingest. If policing practices are already skewed by caste, religion or geography, analytics can harden these inequities and cloak them in the language of objectivity.

For the privileged, a false positive may be an administrative inconvenience. For a young Muslim man in a small town, already living under heightened suspicion, an automated “hit” can trigger prolonged harassment — or worse. Misidentification in such contexts is not a technical glitch; it can carry a real human cost.

Second is the tyranny of scale. NATGRID officials maintain that queries are classified by sensitivity and that every access is logged and justified. But without independent scrutiny, such safeguards remain largely formal. When tens of thousands of requests are processed every month, logging risks becoming a clerical ritual — especially in the absence of parliamentary or judicial oversight.

What 26/11 actually taught us about failure

Defenders of NATGRID often return to a familiar claim: that such systems are matters of life and death. Yet the lesson of 26/11 is more complex. Intelligence failures are rarely caused by data scarcity alone. They are more often products of institutional weakness, poor coordination, perverse incentives and unaccountability.

The Mumbai attacks revealed, among other things, that local police had gone without firearms training for over a year. No database could compensate for that failure.

The missing course correction

Tragically, institutional correction appears distant. India’s constitutional courts have so far allowed the expansive privacy doctrine articulated in “Justice K.S. Puttaswamy (Retd.) vs Union of India” to gather dust, even as surveillance architectures expand. The legality of intelligence programmes lacking statutory foundations or meaningful oversight remains unadjudicated, despite multiple pending cases.

Meanwhile, a martial public temper — reinforced by political rhetoric and popular culture — has narrowed the space for questioning the security establishment. Even after the New Delhi bombing of November 10, 2025, which killed 15 people, there has been little public debate about accountability or possible intelligence lapses. Is it now impolite to ask whether there was an “intelligence failure” even with NATGRID in place?

The shock of 26/11 continues to haunt India. But if prevention is the true objective, the remedy lies not in unchecked data accumulation, but in professional investigation insulated from political pressure, transparency about intelligence failures, and robust oversight by Parliament and the judiciary. Without these, NATGRID risks becoming an architecture of suspicion — normalised through fear, justified in the name of safety, and edging the republic closer to digital authoritarianism.